CVE-2012-4694 - Vulnerability Details - OpenCVE

Description

Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.

Published: 2013-02-15

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

OR	cpe:2.3:a:moxa:edr_g903_firmware::::::::
	cpe:2.3:a:moxa:edr_g903_firmware:1.0:::::::*
	cpe:2.3:a:moxa:edr_g903_firmware:2.0:::::::*
	cpe:2.3:a:moxa:edr_g903_firmware:2.1:::::::*

cpe:2.3:h:moxa:edr-g903:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2012-4619	Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00385.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf
http://www.moxa.com/support/download.aspx?type=support&id=492

History

No history.

Subscriptions

Moxa Edr-g903 Edr G903 Firmware

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2013-02-15T11:00:00.000Z

Updated: 2024-09-16T17:03:16.356Z

Reserved: 2012-08-28T00:00:00.000Z

Link: CVE-2012-4694

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-02-15T12:09:27.633

Modified: 2026-04-29T01:13:23.040

Link: CVE-2012-4694

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-310

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-02-15T11:00:00.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2012-4694", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf", "refsource": "MISC", "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"name": "http://www.moxa.com/support/download.aspx?type=support&id=492", "refsource": "CONFIRM", "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:42:55.129Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2012-4694", "datePublished": "2013-02-15T11:00:00.000Z", "dateReserved": "2012-08-28T00:00:00.000Z", "dateUpdated": "2024-09-16T17:03:16.356Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moxa:edr_g903_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "073FFA29-3EA2-4A26-8381-9667B3F28A77", "versionEndIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:moxa:edr_g903_firmware:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "801FAD11-D12C-4B2B-8469-07409254E2AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moxa:edr_g903_firmware:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0C58E1CB-D824-4ED0-9CD1-6DA14092F5E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:moxa:edr_g903_firmware:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B629626D-56E2-4D72-BED0-7729B8365DE1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:moxa:edr-g903:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDB89B47-4598-4F6D-951F-DF546C8CAA96", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."}, {"lang": "es", "value": "Los routers de la serie Moxa EDR-G903 con firmware anterior a v2.11 no utilizan una fuente suficiente de entrop\u00eda para (1) SSH y (2) llaves SSL, lo que hace que sea m\u00e1s f\u00e1cil para atacantes MITM (man-in-the-middle) a la hora de falsificar un dispositivo o modificar un flujo de datos cliente-servidor mediante el aprovechamiento de conocimiento de una clave de una instalaci\u00f3n del producto en otros lugares."}], "id": "CVE-2012-4694", "lastModified": "2026-04-29T01:13:23.040", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-02-15T12:09:27.633", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["US Government Resource"], "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"source": "ics-cert@hq.dhs.gov", "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}